DJB writes:

DNSSEC reduces existing confidentiality by publishing the complete list of
"secured" DNS records. This publication is integrated into the DNSSEC
protocol; it is independent of classic "zone transfers" and cannot be
disabled by administrators. The "NSEC3" variant of DNSSEC attempts to
reduce this exposure but is almost always breakable.

(source: retrieved Tuesday, september
2nd, 9:31 am BST)

I'd like to have more information how the "NSEC3" variant of DNSSEC is
almost always breakable? I'd like to know how to interpret "almost always


Roy Arends

to unsubscribe send a message to with
the word 'unsubscribe' in a single line as the message text body.